Issue With For loop in flow

[tarunKoyalwar]

Nuclei version:

main | latest

Current Behavior:

id: ldap-obb
info:
  name: ADObject represents an Active Directory object
  author: pussycat0x
  severity: high
  description: |
    EasyCVR video management platform has leaked user information
  reference:
   - https://docs.projectdiscovery.io/templates/protocols/javascript/modules/ldap.ADObject
  metadata:
    verified: true
    shodan-query: ldap
  tags: unauth,easycvr,misconfig

flow: |
  for(let i = 0; i < 10; i++) {
    set("data", "${i}")
    javascript(1)
  }

self-contained: true

javascript:
  - code: |
      Export(template.data)

    matchers:
      - type: dsl
        dsl:
          - len(response) > 0

When any template that use flow and contains any sort of loop ( for , while ) is executed , due to implicit storage of variables of every protocol

• previous protocol responses are stacked in every loop
• previous protocol responses + new responses of every loop are stored

while this may not have visible effect in javascript but will have significant impact if http protocol is present. it has 2 impacts

• clutters -v -svd output due to stacking
• redundant increase of RAM/Memory which might cause OOM if enough such templates are run concurrently depending on number of iterations of for loop

Expected Behavior:

• each iteration of for loop should act like a different branch of tree, like a fork and thus no stacking or redundant storage of data of all iterations

./nuclei -t a.yaml -v -svd

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.9

        projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.9 (latest)
[INF] Current nuclei-templates version: v9.9.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 164
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[DBG] Javascript Protocol request variables: 
    1. FQDN => 
    2. Host => 
    3. Hostname => 
    4. Port => 
    5. data => ${i}

[VER] [ldap-obb] Sent Javascript request to 
[DBG] Javascript Protocol response variables: 
    1. FQDN => 
    2. Host => 
    3. Hostname => 
    4. Port => 
    5. data => ${i}
    6. host => 
    7. interactsh-server => 
    8. ip => 
    9. javascript_FQDN => 
    10. javascript_Host => 
    11. javascript_Hostname => 
    12. javascript_Port => 
    13. javascript_data => ${i}
    14. javascript_host => 
    15. javascript_ip => 
    16. javascript_matched => 
    17. javascript_request => Export(template.data)
    18. javascript_response => ${i}
    19. javascript_success => true
    20. javascript_type => javascript
    21. matched => 
    22. request => Export(template.data)
    23. response => ${i}
    24. success => true
    25. template-id => ldap-obb
    26. template-info => {ADObject represents an A .... ap verified:true] <nil> }
    27. template-path => /Users/tarun/Codebase/nuclei/a.yaml
    28. type => javascript

[ldap-obb] [javascript] [high] 

... omitted for simplicity ...

[VER] [ldap-obb] Sent Javascript request to 
[DBG] Javascript Protocol response variables: 
    1. FQDN => 
    2. Host => 
    3. Hostname => 
    4. Port => 
    5. data => ${i}
    6. host => 
    7. interactsh-server => 
    8. ip => 
    9. javascript_FQDN => 
    10. javascript_Host => 
    11. javascript_Hostname => 
    12. javascript_Port => 
    13. javascript_data => ${i}
    14. javascript_host => 
    15. javascript_ip => 
    16. javascript_javascript_FQDN => 
    17. javascript_javascript_Host => 
    18. javascript_javascript_Hostname => 
    19. javascript_javascript_Port => 
    20. javascript_javascript_data => ${i}
    21. javascript_javascript_host => 
    22. javascript_javascript_ip => 
    23. javascript_javascript_javascript_FQDN => 
    24. javascript_javascript_javascript_Host => 
    25. javascript_javascript_javascript_Hostname => 
    26. javascript_javascript_javascript_Port => 
    27. javascript_javascript_javascript_data => ${i}
    28. javascript_javascript_javascript_host => 
    29. javascript_javascript_javascript_ip => 
    30. javascript_javascript_javascript_javascript_FQDN => 
    31. javascript_javascript_javascript_javascript_Host => 
    32. javascript_javascript_javascript_javascript_Hostname => 
    33. javascript_javascript_javascript_javascript_Port => 
    34. javascript_javascript_javascript_javascript_data => ${i}
    35. javascript_javascript_javascript_javascript_host => 
    36. javascript_javascript_javascript_javascript_ip => 
    37. javascript_javascript_javascript_javascript_javascript_FQDN => 
    38. javascript_javascript_javascript_javascript_javascript_Host => 
    39. javascript_javascript_javascript_javascript_javascript_Hostname => 
    40. javascript_javascript_javascript_javascript_javascript_Port => 
    41. javascript_javascript_javascript_javascript_javascript_data => ${i}
    42. javascript_javascript_javascript_javascript_javascript_host => 
    43. javascript_javascript_javascript_javascript_javascript_ip => 
    44. javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 
    45. javascript_javascript_javascript_javascript_javascript_javascript_Host => 
    46. javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 
    47. javascript_javascript_javascript_javascript_javascript_javascript_Port => 
    48. javascript_javascript_javascript_javascript_javascript_javascript_data => ${i}
    49. javascript_javascript_javascript_javascript_javascript_javascript_host => 
    50. javascript_javascript_javascript_javascript_javascript_javascript_ip => 
    51. javascript_javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 
    52. javascript_javascript_javascript_javascript_javascript_javascript_javascript_Host => 
    53. javascript_javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 
    54. javascript_javascript_javascript_javascript_javascript_javascript_javascript_Port => 
    55. javascript_javascript_javascript_javascript_javascript_javascript_javascript_data => ${i}
    56. javascript_javascript_javascript_javascript_javascript_javascript_javascript_host => 
    57. javascript_javascript_javascript_javascript_javascript_javascript_javascript_ip => 
    58. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 
    59. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Host => 
    60. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 
    61. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Port => 
    62. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_data => ${i}
    63. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_host => 
    64. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_ip => 
    65. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 
    66. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Host => 
    67. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 
    68. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Port => 
    69. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_data => ${i}
    70. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_host => 
    71. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_ip => 
    72. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 
    73. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Host => 
    74. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 
    75. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Port => 
    76. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_data => ${i}
    77. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_host => 
    78. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_ip => 
    79. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_matched => 
    80. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data)
    81. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_response => ${i}
    82. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_success => true
    83. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_type => javascript
    84. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_matched => 
    85. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data)
    86. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_response => ${i}
    87. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_success => true
    88. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_type => javascript
    89. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_matched => 
    90. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data)
    91. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_response => ${i}
    92. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_success => true
    93. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_type => javascript
    94. javascript_javascript_javascript_javascript_javascript_javascript_javascript_matched => 
    95. javascript_javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data)
    96. javascript_javascript_javascript_javascript_javascript_javascript_javascript_response => ${i}
    97. javascript_javascript_javascript_javascript_javascript_javascript_javascript_success => true
    98. javascript_javascript_javascript_javascript_javascript_javascript_javascript_type => javascript
    99. javascript_javascript_javascript_javascript_javascript_javascript_matched => 
    100. javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data)
    101. javascript_javascript_javascript_javascript_javascript_javascript_response => ${i}
    102. javascript_javascript_javascript_javascript_javascript_javascript_success => true
    103. javascript_javascript_javascript_javascript_javascript_javascript_type => javascript
    104. javascript_javascript_javascript_javascript_javascript_matched => 
    105. javascript_javascript_javascript_javascript_javascript_request => Export(template.data)
    106. javascript_javascript_javascript_javascript_javascript_response => ${i}
    107. javascript_javascript_javascript_javascript_javascript_success => true
    108. javascript_javascript_javascript_javascript_javascript_type => javascript
    109. javascript_javascript_javascript_javascript_matched => 
    110. javascript_javascript_javascript_javascript_request => Export(template.data)
    111. javascript_javascript_javascript_javascript_response => ${i}
    112. javascript_javascript_javascript_javascript_success => true
    113. javascript_javascript_javascript_javascript_type => javascript
    114. javascript_javascript_javascript_matched => 
    115. javascript_javascript_javascript_request => Export(template.data)
    116. javascript_javascript_javascript_response => ${i}
    117. javascript_javascript_javascript_success => true
    118. javascript_javascript_javascript_type => javascript
    119. javascript_javascript_matched => 
    120. javascript_javascript_request => Export(template.data)
    121. javascript_javascript_response => ${i}
    122. javascript_javascript_success => true
    123. javascript_javascript_type => javascript
    124. javascript_matched => 
    125. javascript_request => Export(template.data)
    126. javascript_response => ${i}
    127. javascript_success => true
    128. javascript_type => javascript
    129. matched => 
    130. request => Export(template.data)
    131. response => ${i}
    132. success => true
    133. template-id => ldap-obb
    134. template-info => {ADObject represents an A .... ap verified:true] <nil> }
    135. template-path => /Users/tarun/Codebase/nuclei/a.yaml
    136. type => javascript

[ldap-obb] [javascript] [high] 

Anything else:

[tarunKoyalwar]

this can be observed in cloud checks because each of those templates utilize for loop

[tarunKoyalwar]

tagging for visibility since it can has direct impact on RAM/Memory usage

cc: @Ice3man543 @Mzack9999 @ehsandeep